Use Cases/Browser Agents

A malicious skill ran `curl` and exfiltrated your data. The agent never asked.

Name: Veto
Availability: InStock
Author: Veto

Browser agents navigate pages, fill forms, extract data, and execute scripts with your authenticated sessions. Veto checks governed browser actions before execution, enforcing URL allowlists, form field protection, and credential access controls that sit outside the agent prompt context.

URL allowlistingData exfiltration preventionCredential protection

Cisco demonstrated this attack pattern

In December 2025, Cisco's AI Defense team tested OpenClaw, a viral personal AI agent framework. A malicious third-party skill executed curl commands that sent user data to an external server, then erased the logs. The skill achieved this through prompt injection that bypassed the agent's safety guidelines. Cisco surfaced nine vulnerabilities: two critical, five high severity. OpenAI's CISO later acknowledged that prompt injection in browser agents "is unlikely to ever be fully solved."

Why browser agents are the highest-risk workflow

Browser agents have direct access to your authenticated sessions, can see everything on screen, and can interact with any website you can. Researchers have demonstrated that hidden instructions on a web page can command an AI browser to extract a user's email, retrieve a one-time password, or post credentials to an attacker's server without traditional malicious code. The control is not another prompt. It is a runtime boundary before browser actions, downloads, form submits, and data reads.

Credential theft

Agents read password fields, access session cookies, and extract API keys. Malicious skills silently exfiltrate credentials via curl and erase logs.

Data exfiltration

Agents scrape workspaces, customer records, and internal tools. Prompt injection on any visited page can trigger silent data transfer to attacker-controlled servers.

Unauthorized actions

Agents submit forms without approval: making purchases, sending emails, or modifying critical settings. Hidden page instructions can trigger these actions.

Screenshot exposure

Agents capture screenshots of sensitive screens exposing PII, financial data, or confidential business information to unauthorized parties.

URL allowlisting and blocklisting policies

Define exactly where your browser agent can navigate. Allowlist approved business tools, block restricted domains, and require human approval for unknown sites. Unlike prompt-based restrictions, these policies are enforced at runtime on the governed path, not by instructions inside the page.

veto/policies/browser.yaml

policies:
  # Allow navigation to approved business tools only
  - name: "Allow business tools"
    match:
      tool: "navigate"
      arguments:
        url: "^https://(crm|docs|slack)\.approved\.example\.com/.*$"
    action: allow

  # Block data exfiltration vectors
  - name: "Block outbound data transfer"
    match:
      tool: "execute_script"
      arguments:
        code: "(curl|wget|fetch|XMLHttpRequest|navigator\.sendBeacon).*"
    action: deny
    response:
      error: "Outbound data transfer is not permitted"

  # Block financial and email sites
  - name: "Block restricted domains"
    match:
      tool: "navigate"
      arguments:
        url: "^https?://(bank|paypal|gmail|outlook)\..*"
    action: deny
    response:
      error: "Navigation to restricted domains is blocked"

  # Protect password and payment fields
  - name: "Block restricted field interaction"
    match:
      tool: "fill_form"
      arguments:
        field_type: "(password|credit-card|ssn)"
    action: deny
    response:
      error: "Interaction with restricted form fields is blocked"

  # Require approval for form submissions
  - name: "Approve destructive form submissions"
    match:
      tool: "submit_form"
      arguments:
        action_url: ".*(payment|checkout|delete|settings).*"
    action: require_approval
    approval:
      timeout_minutes: 15
      channels: [approval_channel]

  # Default: require approval for unknown domains
  - name: "Approve unknown navigation"
    match:
      tool: "navigate"
    action: require_approval
    approval:
      timeout_minutes: 10
      reason: "Navigation to unrecognized domain"

How Veto stops prompt injection attacks

Prompt injection is the fundamental vulnerability of browser agents. Attackers embed instructions in web page content that the agent processes as commands. Veto operates outside the agent's context window, so injected instructions do not own policy state or decision-record generation.

Domain-level enforcement

Even if a prompt injection convinces the agent to navigate to a malicious site, Veto blocks the navigation at the tool-call level. The agent receives a policy denial, not a prompt instruction. The denial comes from policy, not prompt persuasion.

Script execution control

Block curl, wget, fetch, and WebSocket connections to unknown endpoints. Even if the agent is tricked into executing an exfiltration script, Veto intercepts the tool call and denies it before execution.

Form field protection

Deny agent reads and writes on password, credit card, and SSN fields regardless of what instructions appear in the page content. Require approval for form submissions to payment or deletion endpoints.

Credential isolation

Block access to stored credentials, session tokens, and browser cookies. Agents operate with the minimum session access needed. All credential-related attempts are recorded for evidence review.

Common browser agent policies

Domain allowlisting

Default-deny navigation. Only explicitly approved domains are accessible. Unknown domains require human approval before the agent can proceed.

Restricted path blocking

Block admin panels, settings pages, and deletion endpoints even on allowlisted domains. Granular path-level control per domain.

Form submission approval

Require human approval for any form that creates, modifies, or deletes data. Allow read-only form interactions without approval.

Screenshot redaction

Block screenshots on PII-containing pages. Auto-redact credit card numbers, emails, and account data from captured images.

Credential access logging

Log and alert on any attempt to access password fields, session cookies, or credential manager data. Block extraction entirely.

Script execution control

Block eval, prevent WebSocket connections to unknown endpoints, and deny all outbound data transfer commands (curl, fetch, sendBeacon).

Browser agent integrations

Browser Use Integration

Guardrails for Browser Use agents with URL control and form protection

Playwright Integration

Authorization for Playwright automation scripts and agents

Related resources

AI Agent Guardrails

Core concepts and implementation guide

DevOps Agents

Shell command filtering, infrastructure controls

All Integrations

SDK and framework integrations

Frequently asked questions

How does Veto limit data exfiltration from browser agents?

Veto intercepts each governed tool call before execution, including script execution, network requests, and navigation. Outbound data transfer commands like curl, fetch, and sendBeacon can be blocked at the policy level. If a prompt injection steers the agent toward exfiltration on a governed path, the tool call is denied before it runs. This is the same attack vector Cisco demonstrated against OpenClaw.

What happens when prompt injection targets browser actions?

No. Veto operates outside the agent's context window. Policies are evaluated at the tool-call level, not the prompt level. A prompt injection can change what the agent wants to do, but it does not control Veto policy evaluation. This is the fundamental difference between prompt-based guardrails and runtime authorization.

Can I allow browser agents to access only specific pages on a domain?

Yes. Veto policies support regex URL matching. You can allowlist specific paths (e.g., crm.approved.example/leads/*) while blocking others (e.g., crm.approved.example/admin/*) on the same domain. This provides page-level access control within a single domain.

How do approval workflows work for browser agent actions?

When a browser agent attempts an action requiring approval, Veto pauses execution and sends a notification via the configured review channel. Reviewers approve or deny from their workspace. Approved actions can resume through the configured callback. Denied actions return an error to the agent.

Do browser agent guardrails affect performance?

Policy evaluation happens locally before the browser action runs. Network latency only applies to approval workflows and cloud-based decision-record sync. The agent stays on the fast path for auto-approved actions.

Your browser agent has your session cookies.

Make sure it only does what you authorized.